The "Cyber Security Information Act," to be announced Wednesday, would keep vulnerability information away from the public.


People think the only reason companies aren't sharing information with the government is because of antitrust and FOIA, but those are not the only concerns.


Mark Rasch, Global Integrity

Sensitive information about computer network vulnerabilities and intrusions transferred from the private sector to the federal government would be shielded from public disclosure, under a bill set to be announced Wednesday by Representatives Tom Davis (R-Va.) and Jim Moran (D-Va.).

The proposed legislation would carve out a new exemption to the Freedom of Information Act (FOIA), a law used primarily by journalists which allows a certain degree of public access to government files.

Companies have cited FOIA as a roadblock to the public-private partnership envisioned by President Clinton's cyberterrorism policy. The Administration has long pushed for the creation of an Information Sharing and Analysis Center (ISAC) which would act as a central repository for cyberthreat data, both among companies, and between corporations and the government. But the private sector has proven reluctant to give agencies potentially sensitive and embarrassing information that could be accessible to the public through FOIA.

According to a draft of the proposed "Cyber Security Information Act" obtained by SecurityFocus.com, the bill would allow federal agencies to specifically designate requests for information as FOIA exempt. Anything obtained in response to such a request would be kept confidential, and "may not be used by any Federal entity, agency or authority or by any third party, directly or indirectly, in any civil action."

The bill also clears the way for government participation in ISACs, by automatically protecting any information obtained from such participation. Data obtained through independent channels, by the government or third parties, would not be covered.

"Death of a Thousand Cuts"
The Davis-Moran bill was originally set for formal submission last month, but was delayed after industry and public interest groups intervened, according to a congressional source close to the proposal. In addition to the FOIA exemption, the bill would also exempt companies from any antitrust action based on their sharing of cyberterror information with each other.

Unlike a broader, executive branch proposal, the bill would not cover information about physical vulnerabilities and threats, only electronic ones. Steve Aftergood, head of the Federation of American Scientists Project on Government Secrecy, is encouraged by the more narrow focus, but notes that there are already nine FOIA exemptions, including carve-outs for law enforcement and intelligence files.

"At some point the FOIA will suffer a death from a thousand cuts," said Aftergood. "There is an alarming tendency to carve out exemptions to FOIA at the drop of any hat you may have. At some point the FOIA will lose its utility if it's not treated with some more respect."

"To the extent that fear of FOIA is a deterrent to sharing information, I support this effort to remove that barrier," says Mark Rasch, an attorney with Virginia-based Global Integrity who consulted on the bill. But Rasch warns that a new FOIA exemption will not abolish all tension between private companies and government agencies.

Global Integrity runs the Financial Services Information Sharing and Analysis Center used by the financial community for anonymously sharing threat and vulnerability information among themselves. The private ISAC operates very much like the one envisioned by the Clinton Administration, except federal agencies are allowed only limited access.

Rasch says that the multiple roles played by the government -- customer, law enforcer, and regulator -- will remain an obstacle to private sector cooperation. "People think the only reason companies aren't sharing information with the government is because of antitrust and FOIA, but those are not the only concerns." Companies are reluctant to give the government information on attacks and vulnerabilities that regulators may use against them later, Rasch says. "What's needed is an immunity, not just an exemption."